Allow to install kubeapps in several namespaces #508
Conversation
| ``` | ||
|
|
||
| The command removes all the Kubernetes components associated with the chart and deletes the release. | ||
| The first command removes most of the Kubernetes components associated with the chart and deletes the release. After that, if there are no more instances of Kubeapps in the cluster you can manually delete the `apprepositories.kubeapps.com` CRD used by Kubeapps that is shared for the entire cluster. |
There was a problem hiding this comment.
I'd make it more explicit that if you delete the CRD you will break other instances of Kubeapps running in the same cluster.
| @@ -1,7 +1,10 @@ | |||
| {{- if not (.Capabilities.APIVersions.Has "kubeapps.com/v1alpha1") -}} | |||
There was a problem hiding this comment.
Would you mind adding a comment mentioning that this might have happened if another instance of kubeapps has been installed.
| - kubeapps.com | ||
| resources: | ||
| - apprepositories | ||
| verbs: |
There was a problem hiding this comment.
Do you need all these verbs?
There was a problem hiding this comment.
nope, only list and delete
| @@ -0,0 +1,47 @@ | |||
| {{- if .Values.rbac.create -}} | |||
There was a problem hiding this comment.
Ditto previous comment about adding some context on why this this job is needed in a comment.
There was a problem hiding this comment.
added in all the cleanup related files.
docs/user/access-control.md
Outdated
|
|
||
| ``` | ||
| kubectl apply -f - << EOF |
There was a problem hiding this comment.
Maybe for a first version it might make sense to store these yaml in the repo so it can be easier installed via kubectl create -f 'http://github.com/foobar.yaml'
There was a problem hiding this comment.
I like having the role definition here because it's more verbose and users won't be applying them blindly. Also we'd avoid possible broken links if we move/delete those files from the repo.
In any case, if you think it's a price worth to pay for the simplicity it provides I am fine as well.
There was a problem hiding this comment.
rethinking about this, having a file is more windows-friendly (I don't think the << EOF works there)
docs/user/access-control.md
Outdated
| @@ -60,10 +73,28 @@ available in most Kubernetes distributions, you can find more information about | |||
| that role | |||
| [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). | |||
|
|
|||
| Apart from that role we need to create an additional one to have read access to the app repositories. | |||
There was a problem hiding this comment.
I'd put the creation of the repositories-read role just after this sentence since you set the stage.
There was a problem hiding this comment.
Apart from that role we need to create an additional one to have read access to the app repositories.
Additionally, we need to create a role to give read access to App Repositories and bind it to our service account.
docs/user/access-control.md
Outdated
| - clusterserviceplans | ||
| verbs: | ||
| - list | ||
| EOF |
There was a problem hiding this comment.
I definitely think that we need to extract these yamls to external files since these documentation is becoming too dense.
In the meantime I'd add spaces and comments between the different steps.
|
waiting for @prydonius's input here |
chart/kubeapps/README.md
Outdated
| The command removes all the Kubernetes components associated with the chart and deletes the release. | ||
| The first command removes most of the Kubernetes components associated with the chart and deletes the release. After that, if there are no more instances of Kubeapps in the cluster you can manually delete the `apprepositories.kubeapps.com` CRD used by Kubeapps that is shared for the entire cluster. | ||
|
|
||
| > **NOTE**: If you delete the CRD for `apprepositories.kubeapps.com` it will delete the repositories for **all** the installed instances of `kubeapps`. That'll break existing installations of `kubeapps` if they exist. |
| metadata: | ||
| name: {{ template "kubeapps.apprepository-jobs-cleanup.fullname" . }} | ||
| annotations: | ||
| helm.sh/hook: pre-delete |
There was a problem hiding this comment.
should this be post-delete? What if deletion fails?
There was a problem hiding this comment.
yes, it will fit better in the post-delete hook
| @@ -0,0 +1,47 @@ | |||
| {{- if .Values.rbac.create -}} | |||
| # The cleanup job is necessary to remove "apprepositories" created | |||
There was a problem hiding this comment.
I don't think we need this comment here, just in the Job
| @@ -0,0 +1,15 @@ | |||
| # The cleanup job is necessary to remove "apprepositories" created | |||
There was a problem hiding this comment.
I don't think we need this comment here, just in the Job
| @@ -0,0 +1,47 @@ | |||
| # The cleanup job is necessary to remove "apprepositories" created | |||
| # in the bootstrap job or in the web application | |||
There was a problem hiding this comment.
I would make this comment simpler, e.g.: "Clean up the AppRepository resources used by this Kubeapps instance"
docs/user/access-control.md
Outdated
| @@ -60,10 +73,28 @@ available in most Kubernetes distributions, you can find more information about | |||
| that role | |||
| [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). | |||
|
|
|||
| Apart from that role we need to create an additional one to have read access to the app repositories. | |||
There was a problem hiding this comment.
Apart from that role we need to create an additional one to have read access to the app repositories.
Additionally, we need to create a role to give read access to App Repositories and bind it to our service account.
| metadata: | ||
| name: {{ template "kubeapps.apprepository-jobs-cleanup.fullname" . }} | ||
| annotations: | ||
| helm.sh/hook: pre-delete |
There was a problem hiding this comment.
@andresmgot I think this should be post-delete right? I'll make a PR: #530
Fixes #463